Operating systems that manage computing devices can provide various services to system programs, application programs, external programs, and so forth. An example of such an operating system service that provides Internet services (e.g., MICROSOFT INTERNET INFORMATION SERVER) is commonly referred to as a “web server.” A web server may contain several application pools, each of which is a collection of one or more web applications. Each web application may operate in one or more processes that the operating system associates with the web server. As an example, the web server may start a process for each web application. Subsequent requests to the web application may be handled by the process started for that web application.
Each process executes in the security context of a user account. User accounts (or simply “accounts”) can have various security attributes. While some accounts have increased security attributes, such as an administrator account, other accounts have reduced security attributes, such as an Internet user account. The security attributes can indicate to what operating system resources (or other resources) the account has various permissions. Web applications inherit the security attributes of the processes in which they execute. Thus, system administrators generally configure specific accounts for each web application. As an example, system administrators may configure accounts such that one web application cannot interact with another web application and cannot access other resources of the operating system on which the web server operates. Typically, accounts associated with web applications are provided very minimal permissions so that a web application cannot inadvertently or maliciously interact with other aspects of the web server, such as other web applications. The accounts are conventionally created and managed in relation to the web server or a network security resource, such as ACTIVEDIRECTORY.
User accounts can be associated with security tokens, such as security identifiers (SIDs). A SID is a value of variable length that can be used to identify a security principal or security group in operating systems, such as a user account. The SID can be associated with various security attributes so that, for example, different SIDs can have different permissions on resources of the operating system. Typically, a SID with minimal security attributes is created for processes that handle web applications.
Managing accounts can be problematic. System administrators need to ensure that each account that is added has the correct set of security attributes. Otherwise, a web application may be able to exploit a security vulnerability, such as to take actions that are undesirable or harmful to the web server or other web applications. System administrators may need to ensure that passwords associated with these accounts satisfy various security policies, such as needing to be changed periodically.
A system administrator of an Internet Service Provider (ISP) may administer hundreds of web servers. Thus, when deploying a web application to multiple web servers, the system administrator generally configures each web server or employs a network security resource to set up accounts for the web application. Each such account then needs to be administered, such as to comply with various security policies. ISPs that host many web applications may need accounts for each web application, and so deploying web applications can become quite tedious and prone to error.